
10/M 1002 



STATE OF ISRAEL 



Ministry of Justice 
Patent Office 



m™ 2 9 MAR 2004 



WIPO 



PCT 



This is to certify that 
annexed hereto is a true 
copy of the documents as 
originally deposited with 
the patent application 
particulars of which are 
specified on the first page 
of the annex. 



*a rmvnV nxr 
o>pni?n run n^sisn 




PRIORITY DOCUMENT 

SUBMITTED OR TRANSMITTED IN 
COMPLIANCE WITH 
RULE 17. 1(a) OR (b) 



Commissioner of Patent} 



BEST AVAILABLE COPY 




Certified 



For Office Use 




1967 — vovrm ,owsn pin 

PATENTS LAW, 5727-1967 

Application for Patent 

C:49324 

TnvT . _ ^ tovnNjinoip»--™No^ 

I (Name and address of applicant, and, in case of body corporate-place of incorporation) 



NDS LIMITED 

One London Road 

Staines, Middlesex TW18 4EX 

UNITED KINGDOM 

Inventors: Yaacov Belenky & Chaim D. Shen-Orr 
( Israeli Citizens) 

nth now vy Bv Assignment 



Owner, by virtue of 



of an invention, the title of which is: 



CFM TiDiyn 



CFM SYSTEM 



hereby appl y for a patent to be granted to me in respect thereof 

— . + _ I ~ 



(Hebrew) 
(English) 



- npton n\ypn 
Application for Division 



ojoD nvypno 
from Application 



No. 



dated 



DP 



Application for Patent of Addition 



U3oob/nvypa!?* 
toPatent/Appl. 



No. 



dated 



P.O. A.: general / individual - attached / to be filed later - 
filed in case ____l>3in Win 



5xw>n o>mvk>i jiumn in>oo^ ^v»n 
Address for Service in Israel 

2273 Tn 

76122 maim 



vypaon r»o>nn 
Signature of Applicant 



C:49324 



Number/Mark 



nonp v*f m»n* 
Priority Claim 



Date 



llVNn JH>7» 

Convention Country 



2003 



of the year 



July 



jfimnn 
of 



15 



_pvn 
This 



For Office Use 



onawn n>vnavy nvypan nvyrfc -»vy>N i»n t nmnn inNiui nara o*yi»i o>o3uon mvt> omnn iaoio Nin\y:> nt raio 



Delete whatever is inapplicable invjan tin pn» * 



CFM jid-wjq 



CFM SYSTEM 



NDS LIMITED 

Inventors: Yaacov Belenky & Chaim D. Shen-Orr 



P144IL2B.doc P-144 DZ 14JUL03/2 



FIELD OF THE INVENTION 
The present invention relates to block cipher systems in general, and 
in particular to block cipher systems in CFM mode. 

BACKGROUND OF THE INVENTION 
Block ciphers are well known in the art, as is the use of block 
ciphers in Cipher Feedback mode (CFM), also known as Cipher Feed Back (CFB) 
mode. CFM mode was originally defined as a mode of operation of the well 
known DES system; see, for example, the following references: 

1. NIST, FIPS Publication 81: DES Modes of Operation, 1980, 
which is available on the Internet at: 

csrc.nist.gov/publications/fips/fips8 l/fips8 1 .htm 

2. ANSI, American National Standard X3. 106-1983 (R1966): Data 
Encryption Algorithm, Modes of Operations for the, 1983. 

A short description of CFM mode may be found on the Internet at: 

www.rsasecurity.com/rsalabs/faq/2- 1 -4-4.html 
The disclosures of all references mentioned above and throughout 
the present specification are hereby incorporated herein by reference. 
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SUMMARY OF THE INVENTION 

The present invention seeks to provide an improved block cipher 
system, particularly but not exclusively useful for hardware-based encryption and 
decryption, especially for encryption and decryption of digital content. 

In general, devices which encrypt and decrypt digital content must 
perform both encryption and decryption of data. Preferably, in order to simplify 
hardware design and minimize hardware gate count, the inventors of the present 
invention believe that the following requirements should preferably be met: 

1. An encryption engine should preferably be provided in hardware 
for only one direction of a block cipher. 

2. Data to be encrypted / decrypted (referred to herein as "data") 
comprises a plurality of packets. Encryption / decryption of a packet must in no 
way relate to any previous packet or packets. In other words, it is prohibited to 
have any "chaining" from one packet to another in decryption. The typical reason 
for the prohibition of "chaining" is that the physical stream to be decrypted is 
typically multiplexed from multiple logical stream, so any "chaining" information 
must be stored and managed for each logical stream independently; persons skilled 
in the art will appreciate that such a "heavy" requirement should be avoided . 

3. The encryption / decryption key is changed much less often than 
packets arrive; therefore, many packets are encrypted with the same key. 

4. Packet encryption and decryption should be performed in one 

pass. 

5. Certain bits of the packet must not be affected by encryption and 
decryption. That is, certain bits must stay "in the clear"; bits, bytes, or data that 



must stay in the clear are also termed herein "Must Stay Clear" or "MSC" bits, 
bytes or data. The reason for the requirement of certain bits being unaffected by 
encryption and decryption is in order to have some information about the stream 
available in the clear even before decryption. For example, and without limiting 
the generality of the foregoing, in an MPEG-2 transport stream the four first bytes 
of each packet stay in the clear; the four first bytes provide: information needed 
for demultiplexing; information as to whether the packet is encrypted at all; if the 
packet is encrypted, information as to whether the packet is encrypted with even or 
odd key; and other information as is well known in the art. In some packets, the 
header indicates that an initial part of the packet is the "adaptation field" which 
provides some other information necessary for the receiver; such information must 
always stay in the clear as well. Optionally a broadcaster may choose to send even 
part of video information in the clear, for example to make search easier in 
personal video recorder (PVR) systems. 

Prior art encryption systems address the above-mentioned 
requirements only partially; in particular, requirement 1 is not addressed. 

Reference is now made to Figs. 1A and IB, which are simplified 
block diagram illustrations of a prior art block cipher system operating in CFM 
mode. Fig. 1A illustrates encryption, while Figs. IB illustrates decryption. 
Persons skilled in the art will appreciate that, without requirement 4, it is possible 
to use any appropriate block cipher in CFM mode: 

C 0 =IV 

C, = E K (d.d XOR P, 



where 0 < i <the number of blocks being processed. 
Where 

Pu c, 

are the i - th blocks of plaintext and ciphertext respectively, E is any appropriate 
block mode cipher, K is a. key, and IV is an initial value, which may optionally 
comprise a publicly known initial value. 

The corresponding decryption method is: 

c 0 =iv 

Pi = E K (Ci.j) XOR Q 

where 0 < i ^"the number of blocks being processed. 

As is well known in the art, CFM mode is intended to allow a block 
cipher to be used as if it were a stream cipher, so that processing may occur on a 
byte-by-byte basis or even on a bit-by-bit basis, rather than on a block-by-block 
basis. 

The present invention, in preferred embodiments thereof, provides 
improved block cipher systems which are intended to better address the above- 
mentioned requirements. 

There is thus provided in accordance with a preferred embodiment 
of the present invention a method for producing at least one ciphertext block from 
at least one plaintext block using a block cipher E and a key K, the method 
including receiving n plaintext blocks, wherein n is an integer greater than 0, 

setting Qq equal to an initial value, and for each plaintext block of the n plaintext 



blocks: computing Q t = E K (Q U1 ) XOR P t ; and computing C/ = 

, thereby producing n ciphertext blocks, wherein 0 < i <= n, and 

Pi denotes an i - th plaintext block of the n plaintext blocks, and C/ denotes an i 
- th ciphertext block of the n ciphertext blocks, and Mis a selector function which, 
5 for each bit Cy of block C/, selects a first argument of M if hitPy is not to be 

encrypted, and selects a second argument of M if bit Py is to be encrypted. 

Further in accordance with a preferred embodiment of the present 
invention M is chosen in accordance with a standard indicating bits that are not to 
be encrypted. 

10 Still further in accordance with a preferred embodiment of the 

present invention the standard includes one of the following an audio standard, a 
video standard, and an audio-video standard. 

Additionally in accordance with a preferred embodiment of the 
present invention the standard includes MPEG-2. 

15 There is also provided in accordance with another preferred 

embodiment of the present invention a method for producing at least one 
ciphertext block from at least one plaintext block using a block cipher E and a key 
AT, the method including receiving n plaintext blocks, wherein n is an integer 

greater than 0, and an initial value IV, computing IV = M(P / 9 IV) , 
20 computing Q 0 = H(IV) , and for each plaintext block of the n plaintext 
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blocks: computing Q t = ErfQu) XOR P t ■ and computing Q = 
, thereby producing n ciphertext blocks, wherein 0 < i <= n, and H 
is a hash function, and Pj denotes an i - th plaintext block of the n plaintext 
blocks, and C/ denotes an i - th ciphertext block of the n ciphertext blocks, and M 
5 is a selector function which, for each bit Cy of block C/, selects a first argument 
of M if bit Py is not to be encrypted, and selects a second argument of M if bit 
Py is to be encrypted. 

Further in accordance with a preferred embodiment of the present 
invention H includes SHA1 . 
*0 Still further in accordance with a preferred embodiment of the 

present invention H(IV) includes E K (IV) XOR IV. 

Additionally in accordance with a preferred embodiment of the 
present invention Mis chosen in accordance with a standard indicating bits that are 
not to be encrypted. 

15 Moreover in accordance with a preferred embodiment of the present 

invention the standard includes one of the following an audio standard, a video 
standard, and an audio- video standard. 

Further in accordance with a preferred embodiment of the present 
invention the standard includes MPEG-2. 
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There is also provided in accordance with another preferred 
embodiment of the present invention, in a method for producing at least one 
ciphertext block from at least one plaintext block using a block cipher E and a key 

K in a stream mode, wherein Pj denotes an i - th plaintext block, and Cf denotes 
5 an i - th ciphertext block, an improvement including for each bit Cy of block Cj, 

selecting Py as an output if bit Py is not to be encrypted. 

Further in accordance with a preferred embodiment of the present 
invention the stream mode includes CFM mode- 
There is also provided in accordance with another preferred 
10 embodiment of the present invention apparatus for producing at least one 
ciphertext block from at least one plaintext block using a block cipher E and a key 
K, the at least one plaintext block including n plaintext blocks, the at least one 
ciphertext block including n ciphertext blocks, wherein n is an integer greater than 

0, the apparatus including an initialization unit for setting Qq equal to an initial 
15 value, and a computation unit operative, for each plaintext block of the n plaintext 
blocks: to compute Q t = Ek(Qui) XOR P t ; and to compute C/ = 

, wherein 0 < i <= n, and jP/ denotes an i - th plaintext block of the 

n plaintext blocks, and C/ denotes an i - th ciphertext block of the n ciphertext 

blocks, and Mis a selector function which, for each bit Cfj of block C/, selects a 
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first argument of M if bit Py is not to be encrypted, and selects a second argument 

of Mif bit Py is to be encrypted. 

There is also provided in accordance with yet another preferred 
embodiment of the present invention apparatus for producing at least one 
ciphertext block from at least one plaintext block using a block cipher E 9 a key K, 
and an initial value IV, the at least one plaintext block including n plaintext blocks, 
the at least one ciphertext block including n ciphertext blocks, wherein n is an 
integer greater than 0, the apparatus including a first computation unit for 

computing IV = M(Pj ,IV) , a second computation unit for computing 

Qo = H(IV), and a third computation unit operative, for each plaintext 

block of the n plaintext blocks: to compute Qj — Ejc( Qi-j) XOR Pj , 

and to compute C/ ~ M(Pf , Qj) , wherein 0 < i <= n, and H is a hash 

function, and jP/ denotes an i - th plaintext block of the n plaintext blocks, and 

C; denotes an i - th ciphertext block of the n ciphertext blocks, and Mis a selector 

function which, for each bit Cy of block Cj, selects a first argument of M if bit 

is not to be encrypted, and selects a second argument of M if bit Py is to be 
encrypted. 
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There is also provided in accordance with still another preferred 
embodiment of the present invention, in apparatus for producing at least one 
ciphertext block from at least one plaintext block using a block cipher E and a key 
K in a stream mode, wherein P t denotes an i - th plaintext block, and Q denotes 
5 an i - th ciphertext block, an improvement including a selector unit operative, for 
each bit Cy of block Q to select P y as an output if bit P y is not to be 
encrypted. 

There is also provided in accordance with yet another preferred 
embodiment of the present invention a method for producing at least one plaintext 
10 block from at least one ciphertext block encrypted using a block cipher E and a 
key K, the method including receiving n ciphertext blocks, where n is an integer 
greater than 0, setting Q 0 equal to an initial value, and for each ciphertext block 

of the n ciphertext blocks: computing Q \ — E K (Q U1 ) XOR Q ; 
computing Pi = M(Q , Q'i) ;a nd computing Q t =M(Q ' t , Q) , 
15 thereby producing n plaintext blocks, wherein 0 < i <= n, and P t denotes an i - th 
plaintext block of the n plaintext blocks, and Q denotes an i - th ciphertext block 
of the n ciphertext blocks, and Mis a selector function which, for each bit Qj of 
block Ci, selects a first argument of M if bit P y - is not encrypted, and selects a 
second argument of M if biti^y is encrypted. 



Further in accordance with a preferred embodiment of the present 
invention M is chosen in accordance with a standard indicating bits that are not 
encrypted. 

Still further in accordance with a preferred embodiment of the 
5 present invention the standard includes one of the following an audio standard, a 
video standard, and an audio-video standard. 

Additionally in accordance with a preferred embodiment of the 
present invention the standard includes MPEG-2. 

There is also provided in accordance with another preferred 
1 0 embodiment of the present invention a method for producing at least one plaintext 
block from at least one ciphertext block using a block cipher E and a key K, the 
method including receiving n ciphertext blocks, wherein n is an integer greater 
than 0, and an initial value IV, computing IV = M(Pj JV) , computing 

Qo = H(IV) , and for each ciphertext block of the n ciphertext blocks: 
15 computing Q \ = E K (Q U] ) XOR Q, computing P t = M(Q , 
Q V, and computing Q t =M(Q \ , Q) , thereby producing n plaintext 
blocks, wherein 0 < i <= n , and H is a hash function, and P t denotes an i - th 
plaintext block of the n plaintext blocks, and Q denotes an i - th ciphertext block 
of the n ciphertext blocks, and M is a selector function which, for each bit C» of 

J 
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15 



block Q selects a first argument of Mif bit P tj is not encrypted, and selects a 
second argument of Mif bitP z> - is encrypted. 

Further in accordance with a preferred embodiment of the present 
invention H includes SHAl . 

Still further in accordance with a preferred embodiment of the 
present invention H(IV) includes E K (IV) XOR IV. 

Additionally in accordance with a preferred embodiment of the 
present invention Mis chosen in accordance with a standard indicating bits that are 
not encrypted. 

Moreover in accordance with a preferred embodiment of the present 
invention the standard includes one of ,h= following an audio standard, a video 
standard, and an audio-video standard. 

Further in accordance with a preferred embodiment of the present 
invention the standard includes MPEG-2. 

There is also provided in accordance with another preferred 
embodiment of the present invention, in a method for producing at least one 
plaintext block from at least one ciphertext block using a block cipher E and a key 
K in a stream mode, wherein P t denotes an i - th plaintext block of the plurality of 
plaintext blocks, and Q denotes an i - th ciphertext block of the plurality of 
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ciphertext blocks, an improvement including for each bit Py of block P t , 
selecting Qj as an output if bit Cy is not encrypted. 

Further in accordance with a preferred embodiment of the present 
invention the stream mode includes CFM mode. 

5 There is also provided in accordance with another preferred 

embodiment of the present invention apparatus for producing at least one plaintext 
block from at least one ciphertext block encrypted using a block cipher E and a 
key K, the at least one ciphertext block including n ciphertext blocks, the at least 
one plaintext block including n plaintext blocks, wherein n is an integer greater 
10 than 0, the apparatus including initialization apparatus for setting Q 0 equal to an 
initial value, and a computation unit operative, for each ciphertext block of the n 
ciphertext blocks: to compute Q = E K (Q U] ) XOR Q ; to compute 

Pi=M(C it eV;. and to compute 2/ =M { (Q >, , Q , wherein 0 < i 
<= n, and P t denotes an i - th plaintext block of the n plaintext blocks, and Q 
5 denotes an i - th ciphertext block of the n ciphertext blocks, and M is a selector 
function which, for each bit Qj of block Q selects a first argument ofM if bit 

Pij is not encrypted, and selects a second argument of M\f biiPy is encrypted. 

There is also provided in accordance with yet another preferred 
embodiment of the present invention apparatus for producing at least one plaintext 
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block from at least one ciphertext block using a block cipher E and a key K, the at 
least one ciphertext block including n ciphertext blocks, the at least one plaintext 
block including n plaintext blocks, wherein n is an integer greater than 0, the 
apparatus including a first computation unit for computing IV = M(P j 

5 ,IV) , a second computation unit for computing Q 0 = H(IV'J , and a third 
computation unit operative, for each ciphertext block of the n ciphertext blocks: to 
compute Q 't = E K (Q U1 ) XOR d ; to compute P z = M(Q , 

Q V; and to compute Q t =M(Q \ , Q , wherein 0 < i <= n, and 77 is a 

hash function, and P t denotes an i - th plaintext block of the n plaintext blocks, 

0 and C t denotes an i - th ciphertext block of the n ciphertext blocks, and M is a 

selector function which, for each bit Qj of block Q selects a first argument of 

M if bit Pij is not encrypted, and selects a second argument of M if bit Py is 
encrypted. 

There is also provided in accordance with still another preferred 
) embodiment of the present invention, in apparatus for producing at least one 
plaintext block from at least one ciphertext block using a block cipher E and a key 
* in a stream mode, wherein P t denotes an i - th plaintext block of the plurality of 

plaintext blocks, and Q denotes an i - th ciphertext block of the plurality of 
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ciphertext blocks, an improvement including a selector unit operative, for each bit 
Pjj of block P t , to select Cy as an output if bit Cu is not encrypted. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
The present invention will be understood and appreciated more fully 
from the following detailed description, taken in conjunction with the drawings in 
which: 

Figs. 1A and IB are simplified block diagram illustrations of a prior 
art block cipher system operating in CFM mode; 

Figs. 2A and 2B are simplified block diagram illustrations of a 
block cipher system constructed and operative in accordance with a first preferred 
embodiment of the present invention; and 

Figs. 3A and 3B are simplified block diagram illustrations of a 
block cipher system constructed and operative in accordance with a second 
preferred embodiment of the present invention. 
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DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

In accordance with a first preferred embodiment of the present 
invention, a block cipher system based generally on CFM is provided, with 
modification made to meet requirement 4 mentioned above. The modification 
5 preferably as follows: 

Qo=iv 

Qt = E K (Q U1 ) XOR />, 
Q = M(P i ,Q i ) 

where 0 < i <the number of blocks being processed. 
10 where for each bit 

C,j 

of block 

Q 

function M selects between its first argument (in this case Py) and its second 
15 argument (in this case Q;j) depending on whether the present bit of the plaintext 
should be encrypted or not. For a bit Qj, the result of function M (termed herein a 

"selector function", and also known in the art as a multiplexer) may depend on all 
preceding blocks of the plaintext, and on those preceding bits of the plaintext in 
the current block C/ that are not encrypted. 
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It is appreciated that the function Mis chosen based on operational 
requirements which specify which bits should or should not be encrypted, as is 
explained in more detail below with reference to Figs. 2A, 2B, 3A, and 3B. 
The corresponding decryption method is: 

» Q 0 ~W . 

Q 't = E K (Q U1 ) XOR C t 
P, = M(C,,Qy 

Qi=M(Q' it cy 
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where 0 < i \g the number of blocks being processed. 

Persons skilled , in the art will appreciate that the first preferred 
embodiment has a weakness, compared with regular use of the block cipher, as 
follows. For all packets encrypted with the same key K the first block 

Pi 

will be encrypted by XOR with the same pad 

" E K (IV) 

which method is insecure. More generally, in a case where there are several 
packets whose first n blocks are identical and (H+/>th blocks differ, the XOR 
pads of those packets will be identical up to the («+7>th block, and different from 
the (n+2)-th block on. 

Nevertheless, in contexts where making it easier for an unauthorized 
person to decrypt a small part of the content is not critical, and there is much 

17 
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variability between packets, as in video ^ o,^- 

, » m video- and audio- streams, the indicated 

weakness may be tolerable. 

Without limiting the generality of the foregoing, the special case of 
MPEG Transport Stream, sueh as in MPEO-2 (as described in ISO / ffiC 13818-1, 
5 Information technology - Generic coding of moving pictures and associated audio 
information: Systems), will now be considered. Persons skilled in the art will 
appreciate that MPEG-2 is provided as an example only, and is not mean, to be 
limiting. 

Reference is now made to Figs. 2A and 2B, which are simplified 
5 block diagram illustrations of a block cipher system constructed and operative in 
accordance with the first preferred embodiment of the present invention. Figs. 2A 
and 2B illustrate the special case of the first preferred embodiment of the present 
invention, used in an MPEG-2 system. Fig. 2A illustrates encryption, while Fig. 
2B illustrates decryption. Figs. 2A and 2B are self-explanatory with reference to 
the discussion above and below. 

In MPEG-2 each transport packet comprises 188 bytes. The first 4 
first bytes (bytes 0 - 3) comprise the packet header. The first 4 bytes are always 
MSC bytes that must stay in the clear; that is, the first 4 bytes must not be 
encrypted. As is well known in the art of MPEG-2, depending on one of the bits 
in those bytes, there may be an additional adaptation field immediately after the 
header that also must stay in the clear (MSC); in such a case, byte 4 contains the 
length of the adaptation field. The rest of the packet should be encrypted / 
decrypted. 
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If, for example, the well-known prior art AES (which is described in 
FIPS Publication 197, November 26, 2001, Announcing the Advanced Encryption 
Standard (AES, available on the Internet at 
csrc.nist.gov/publications/fips/fipsl97/fips-197.pdf) is used as a block cipher (with 
16-byte blocks), each packet may be padded with a 4-byte IV (which may 
optionally be publicly known) before the 4 first bytes; this 4-byte IV is in addition 
to the 16-byte IV 

C 0 

After encryption, the 4 first bytes of 

will be discarded; therefore, it does not matter whether the first 4 bytes should be 
encrypted. 

In accordance with a second preferred embodiment of the present 
invention, which is believed by the inventor to be stronger against attack than the 
first preferred embodiment of the present invention, the clear part of 

Pi 

is mixed into the initial value. For example and without limiting the generality of 
the foregoing, the following method may be used: 

IV = M(Pj ,IV) 

Qo = E K (IV) XOR IV 

Qi = EKiQi-d XOR P t 
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C i =M(P i ,Q j ) 

where 0 < i <the number of blocks being processed. 

It is appreciated that the present invention is not limited to the use of 

the formula 

Qo = E K (IV) XOR IV 

Rather, any appropriate hash function of IV may be used. In general, for an 
appropriate hash function H: 

Qo = H(IV') 

For example, and without limiting the generality of the foregoing, 
the well-known SHA1 hash function may be used. The SHA1 hash function is 
described, for example, in the following two publications: 

FIPS PUB 180-1, published 17 April 1995 and entitled "Secure 
Hash Standard", available on the Internet at: www.itl.nist.gov/fipspubs/fipl80- 
l.htm ; and 

RFC 3174, published September 2001 and entitled "US Secure 
Hash Algorithm 1 (SHA1), available on the Internet at 
www.ietf.org/rfc/rfc3 174.txt?number=3 174 

The corresponding decryption method is: 

IV = M(P, ,IV) 
Qo = H(IV') 
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Q'i = E K (Q i .,)XORC i 
Pi = M(Q , Q V 
Q i =M(Q' i , d) 

where 0 < i <the number of blocks being processed. 

Persons skilled in the art will appreciate that, in the second preferred 
embodiment of the present invention, any two packets that have a different initial 
clear part of the first block will have a completely different XOR pad. Therefore, 
the number of packets with the same XOR pad, even for the first block only, will 
decrease, making it more difficult to use the weakness described above with 
reference to the first preferred embodiment of the present invention. 

Without limiting the generality of the foregoing, the special case of 
MPEG-2, as described above, will now be considered in connection with the 
second preferred embodiment of the present invention. Persons skilled in the art 
will appreciate that MPEG-2 is provided as an example only, and is not meant to 
be limiting. 

Reference is now made to Figs. 3A and 3B, which are simplified 
block diagram illustrations of a block cipher system constructed and operative in 
accordance with the second preferred embodiment of the present invention. Figs. 
3A and 3B illustrate the special case of the first preferred embodiment of the 
present invention, used in an MPEG-2 system. Fig. 3A illustrates encryption, 
while Fig. 3B illustrates decryption. Figs. 3A and 3B are self-explanatory with 
reference to the discussion above and below. 
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It is appreciated that, in Figs. 3A and 3B, the particular example of 
an XOR function as the function F is depicted; as described above, the present 
invention is not limited to use of the XOR function. 

The above discussion of the special case of MPEG-2 with reference 
to Figs. 2A and 2B also applies to Figs. 3A and 3B. 

It is appreciated that various features of the invention which are, for 
clarity, described in the contexts of separate embodiments may also be provided in 
combination in a single embodiment. Conversely, various features of the 
invention which are, for brevity, described in the context of a single embodiment 
may also be provided separately or in any suitable subcombination. 

It will be appreciated by persons skilled in the art that the present 
invention is not limited by what has been particularly shown and described 
hereinabove. Rather the scope of the invention is defined only by the claims 
which follow: 
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What is claimed is: 

CLAIMS 

1- A method for producing at least one ciphertext block from at least 

5 one plaintext block using a block cipher E and a key K, the method comprising: 
receiving n plaintext blocks, wherein n is an integer greater than 0; 
setting Qq equal to an initial value; and 
for each plaintext block of the n plaintext blocks: 

computing Qi = E K (Qi_j) XOR P t ; and 

computing Ct = M(P t , , 

thereby producing n ciphertext blocks, 
wherein: 

0 < i <= n, and 

Pi denotes an i - th plaintext block of the n plaintext blocks, and 
15 ^ denotes 311 1 " * ciphertext block of the n ciphertext blocks, and 

M is a selector function which, for each bit Qj of block Q 
selects a first argument of M if bit Py is not to be encrypted, and selects a second 
argument of Mif bit P,y is to be encrypted. 
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2. The method according to claim 1 and wherein M is chosen in 

accordance with a standard indicating bits that are not to be encrypted. 

3- The method according to claim 2 and wherein the standard 

comprises one of the following: an audio standard; a video standard; and an 
audio- video standard. 

4. The method according to claim 3 and wherein the standard 
comprises MPEG-2. 

5. A method for producing at least one ciphertext block from at least 
one plaintext block using a block cipher E and a key K, the method comprising: 

receiving n plaintext blocks, wherein n is an integer greater than 0, 
and an initial value IV; 

computing IV = M(P lf IV) ; 

computing Q 0 = H(IV') ; and 

for each plaintext block of the n plaintext blocks: 

computing Qi = E K (Q U1 ) XOR Pi ; and 

computing Ct = M(P t , , 

thereby producing n ciphertext blocks, 
wherein: 

0 < i <= n, and 
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H is a hash function, and 

P t denotes an i - th plaintext block of the n plaintext blocks, and 
Q denotes an i - th ciphertext block of the n ciphertext blocks, and 
M is a selector function which, for each bit Cy of block Q 

selects a first argument of Af if bit Pj, is not to be encrypted, and selects a second 

argument of M if bit Py is to be encrypted. 

6. The method according to claim 5 and wherein H comprises SHA1 . 

7. The method according to claim 5 and wherein H(IV') comprises 

E K (IV) XOR jy\ 

8. The method according to any of claims 5 - 7 and wherein M is 
chosen in accordance with a standard indicating bits that are not to be encrypted. 

9. The method according to claim 8 and wherein the standard 
comprises one of the following: an audio standard; a video standard; and an 
audio-video standard. 
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The method according to claim 9 and wherein the standard 
comprises MPEG-2. 

11. In a method for producing at least one ciphertext block from at least 

one plaintext block using a block cipher E and a key K in a stream mode, wherein 
Pi denotes an i - th plaintext block, and Q denotes an i - th ciphertext block, an 
improvement comprising: 

for each bit Cy of block Q selecting P p as an output if bit Py 
is not to be encrypted. 

12. The method according to claim 11 and wherein the stream mode 
comprises CFM mode. 

13. Apparatus for producing at least one ciphertext block from at least 
one plaintext block using a block cipher E and a key K, the at least one plaintext 
block comprising n plaintext blocks, the at least one ciphertext block comprising n 
ciphertext blocks, wherein n is an integer greater than 0, the apparatus comprising: 

an initialization unit for setting Q 0 equal to an initial value; and 

a computation unit operative, for each plaintext block of the n 
plaintext blocks: 

to compute Q t = E K (Q U1 ) XOR P t ■ and 
to compute C/ = M(P t , , 
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wherein: 

0 < i <= n, and 

Pi denotes an i - th plaintext block of the n plaintext blocks, and 
Cj denotes an i - th ciphertext block of the n ciphertext blocks, and 
M is a selector function which, for each bit Cy of block Cj, 

selects a first argument of M if bit Py is not to be encrypted, and selects a second 

argument of Mif bit Py is to be encrypted. 

14. Apparatus for producing at least one ciphertext block from at least 

one plaintext block using a block cipher E, a key K, and an initial value IV, the at 
least one plaintext block comprising n plaintext blocks, the at least one ciphertext 
block comprising n ciphertext blocks, wherein n is an integer greater than 0, the 
apparatus comprising: 

a first computation unit for computing IV ~ M(P 1 ,IV) ; 

a second computation unit for computing 

a third computation unit operative, for each plaintext block of the n 
plaintext blocks: 

to compute Qt = E K ( Qi-l) XOR Pi ; and 
to compute 0/ — 



27 



wherein: 

0 < i <== n, and 

H is a hash function, and 

Pi denotes an i - th plaintext block of the n plaintext blocks, and 
Ci denotes an i - th ciphertext block of the n ciphertext blocks, and 
M is a selector function which, for each bit C z y of block Cf, 

selects a first argument of M if bit Py is not to be encrypted, and selects a second 

argument of M if bit Py is to be encrypted. 

1 5 - In apparatus for producing at least one ciphertext block from at least 

one plaintext block using a block cipher E and a key K in a stream mode, wherein 

Pi denotes an i - th plaintext block, and C; denotes an i - th ciphertext block, an 

improvement comprising: 

a selector unit operative, for each bit Cy of block Cj, to select Py 

as an output if bit Py is not to be encrypted. 

A method for producing at least one plaintext block from at least 
one ciphertext block encrypted using a block cipher E and a key K, the method 
comprising: 
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receiving n ciphertext blocks, where n is an integer greater than 0; 

setting Qq equal to an initial value; and 

for each ciphertext block of the n ciphertext blocks: 

computing Q \ — E K ( Qui) XOR C\ ; 

computing P t = M( Ci , Q *j) ; and 

computing Qi =M( Q' i9 Cj) , 

thereby producing n plaintext blocks, 
wherein: 

0 < i <== n, and 

Pi denotes an i - th plaintext block of the n plaintext blocks, and 
Cf denotes an i - th ciphertext block of the n ciphertext blocks, and 
Mis a selector function which, for each bit Cy of block C/, 

selects a first argument of M if bit Pfj is not encrypted, and selects a second 

argument of Mif bitPy is encrypted. 

17. The method according to claim 16 and wherein M is chosen in 

accordance with a standard indicating bits that are not encrypted. 
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18. The method according to claim 17 and wherein the standard 
comprises one of the following: an audio standard; a video standard; and an 
audio-video standard. 

19. The method according to claim 18 and wherein the standard 
comprises MPEG-2. 

20. A method for producing at least one plaintext block from at least 
one ciphertext block using a block cipher E and a key K, the method comprising: 

receiving n ciphertext blocks, wherein n is an integer greater than 0, 
and an initial value IV; 

computing = M(Pj JV) ; 

computing Q 0 = H(IV) ; and 

for each ciphertext block of the n ciphertext blocks: 

computing Q \ = E K (Q U] ) XOR Cfi 

computing^ = M(Q , Q V; and 

computing Qi =M(Q 'i , Cj) , 

thereby producing n plaintext blocks, 
wherein: 

0 < i <= n, and 

H is a hash function, and 
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Pi denotes an i - th plaintext block of the n plaintext blocks, and 

1 r 

z denotes 311 1 - th ciphertext block of the n ciphertext blocks, and 
M is a selector function which, for each bit Cy of block Q 
selects a first argument of M if bit Py is not encrypted, and selects a second 
5 argument of M if bit Py is encrypted. 

21. The method according to claim 20 and wherein 7/ comprises SHA1 . 

22. The method according to claim 20 and wherein H(IV') 
1 0 comprises E K (IV) XOR IV. 

23. The method according to any of claims 20 - 22 and wherein M is 
chosen in accordance with a standard indicating bits that are not encrypted. 

15 24. The method according to claim 23 and wherein the standard 

comprises one of the following: an audio standard; a video standard; and an 
audio-video standard. 

25. The method according to claim 24 and wherein the standard 

20 comprises MPEG-2. 
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26. in a method for producing at least one plaintext block from at least 

one ciphertext block using a block cipher E and a key K in a stream mode, wherein 

Pi denotes an i - th plaintext block of the plurality of plaintext blocks, and Q 

denotes an i - th ciphertext block of the plurality of ciphertext blocks, an 
improvement comprising: 

for each bit Py of block P t , selecting Cy as an output if bit Cy 
is not encrypted. 



27. The method according to claim 26 and wherein the stream mode 
comprises CFM mode. 

28. Apparatus for producing at least one plaintext block from at least 
one ciphertext block encrypted using a block cipher E and a key K, the at least one 
ciphertext block comprising n ciphertext blocks, the at least one plaintext block 
comprising n plaintext blocks, wherein n is an integer greater than 0, the apparatus 
comprising: 

initialization apparatus for setting Q 0 equal to an initial value; and 

a computation unit operative, for each ciphertext block of the n 
ciphertext blocks: 

to compute Q \ = E K (Q ul ) XOR Q ■ 
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to compute P t = M(Q > Q'j) ; and 
to compute Q t =M(Q \ , QJ , 



wherein: 



0 < i <== n , and 

5 P t denotes an i - th plaintext block of the n plaintext blocks, and 

Q denotes an i - th ciphertext block of the n ciphertext blocks, and 
M is a selector function which, for each bit Qj of block C h 
selects a first argument of M if bit Py is not encrypted, and selects a second 
argument of Mif bit P t j is encrypted. 

10 

29. Apparatus for producing at least one plaintext block from at least 

one ciphertext block using a block cipher E and a key K, the at least one ciphertext 
block comprising n ciphertext blocks, the at least one plaintext block comprising n 
plaintext blocks, wherein n is an integer greater than 0, the apparatus comprising: 
1 5 a first computation unit for computing IV ' = M(P j , IV) ; 

a second computation unit for computing Q 0 = H(IV) ; and 

a third computation unit operative, for each ciphertext block of the n 
ciphertext blocks: 

to compute Q = E K (Q UJ ) XOR Q; 
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to compute P/ = M(Q , Q V; and 
to compute Qi =M(Q 'i , Cj) , 



wherein: 



0 < i <= n, and 
5 H is a hash function, and 

Pi denotes an i - th plaintext block of the n plaintext blocks, and 
Q denotes an i - th ciphertext block of the n ciphertext blocks, and 
M is a selector function which, for each bit Cy of block Q, 
selects a first argument of M if bit Py is not encrypted, and selects a second 
0 argument of M if bit P t j is encrypted. 

30. In apparatus for producing at least one plaintext block from at least 

one ciphertext block using a block cipher E and a key K in a stream mode, wherein 
Pi denotes an i - th plaintext block of the plurality of plaintext blocks, and Q 

denotes an i - th ciphertext block of the plurality of ciphertext blocks, an 
improvement comprising: 

a selector unit operative, for each bit P tj of block P t , to select 
Cy as an output if bit Cy is not encrypted. 
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31 The method according to any of claims 1 - 12 or 16 - 27 and 

substantially as described hereinabove. 



3 32 ' ^ method according to any of claims 1 - 12 or 16 - 27 and 

substantially as shown in the drawings. ' 

33. Apparatus according to any of claims 13 - 15 or 28 - 30 and 
substantially as described hereinabove. 

10 

34. Apparatus according to any of claims 13 - 15 or 28 - 30 and 
substantially as shown in the drawings. 



Respectfully submitted, 

r 

Sanford T. Colb & Co. 
Advocates & Patent Attorneys 
C: 49324 
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